Group Policy edit setting not reflected in System Info
[Enter feedback here] Windows 11 Pro
Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security > Secure Launch Configuration says "Enabled".
But System Information > Virtualization-base Security services running does not include "Secure launch"
Is it on or off??
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 31d623d9-316c-0ef1-b6be-c3773d77ca21
- Version Independent ID: 83ddb59d-0cfc-34f2-e666-8927d86a04a7
- Content: System Guard Secure Launch and SMM protection (Windows 10) - Windows security
- Content Source: windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
- Product: m365-security
- Technology: windows-sec
- GitHub Login: @Dansimp
- Microsoft Alias: dansimp
@paulsmason . Only few compatible Intel processors are eligible, if your computer has compatible processor then secure launch will be enabled and will reflect in system information
i9-11900K? (This page at intel.com says "Intel vPro® Platform Eligibility Yes" https://ark.intel.com/content/www/us/en/ark/products/212325/intel-core-i911900k-processor-16m-cache-up-to-5-30-ghz.html)
On Thursday, June 30, 2022, 01:51:13 AM EDT, VARADHARAJAN K ***@***.***> wrote:
https://ark.intel.com/content/www/us/en/ark/products/212325/intel-core-i911900k-processor-16m-cache-up-to-5-30-ghz.html
@paulsmason . Only few compatible Intel processors are eligible, if your computer has compatible processor then secure launch will be enabled and will reflect in system information
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>
@paulsmason Which intel processor is installed in your computer. i9 11900K is vpro , together with TPM 2.0 should be embedded in the motherboard and enabled in BIOS. You should install Windows 10 at least 1903 or later versions of Profesional or Enterprise or Windows 11 Profesional or Enterprise. You must enable Hypervisor in windows feature.
i9-11900K, and here's the page at intel.com that says it's Intel vPro® Platform Eligible: https://ark.intel.com/content/www/us/en/ark/products/212325/intel-core-i911900k-processor-16m-cache-up-to-5-30-ghz.html
On Thursday, June 30, 2022, 10:27:34 AM EDT, Paul Mason ***@***.***> wrote:
i9-11900K? (This page at intel.com says "Intel vPro® Platform Eligibility Yes" https://ark.intel.com/content/www/us/en/ark/products/212325/intel-core-i911900k-processor-16m-cache-up-to-5-30-ghz.html)
On Thursday, June 30, 2022, 01:51:13 AM EDT, VARADHARAJAN K ***@***.***> wrote:
https://ark.intel.com/content/www/us/en/ark/products/212325/intel-core-i911900k-processor-16m-cache-up-to-5-30-ghz.html
@paulsmason . Only few compatible Intel processors are eligible, if your computer has compatible processor then secure launch will be enabled and will reflect in system information
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>
Windows 11 PRO i9-11900K TPM2.0 enabled UEFI Secure Boot on Kernel DMA Protection On
Virtualization-based security Running
Virtualization-based security Required Security Properties: Base Virtualization Support, Secure Boot, DMA Protection
Virtualization-based security Available Security Properties" Base Virtualization Support, Secure Boot, DMA Protection, Secure Memory Overwrite, UEFI Code Readonly, SMM Security Mitigations 1.0, Mode Based Execution Control, APIC Virtualization
Virtualization-based security Services Configured: Credential Guard, Hypervisor enforced Code Integrity, Secure Launch
Virtualization-based security Services Running: Credential Guard, Hypervisor enforced Code Integrity << but not Secure Launch !!! >>
but ... Group Policy Manager shows Secrure Launch Enabled
Windows 11 PRO i9-11900K TPM2.0 enabled UEFI Secure Boot on Kernel DMA Protection On When I turn on Hyper-V in Windows Features and the Enable Secure Launch in the Group Policy Editor, I still don't see Secure Launch under "Virtualization-based security Services Running", and under Settings -> Privacy & Security -> Windows Security -> Device Security -> Core isolation details" I see a switch to turn on Firmware Protection. but it is greyed out and above it the following words appear in red: This setting is managed by your administrator. Of course, I a running an administrator account.
On Thursday, June 30, 2022 at 10:30:18 AM EDT, VARADHARAJAN K ***@***.***> wrote:
@paulsmason Which intel processor is installed in your computer.
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>
@paulsmason Check whether group policy is applied on Devicegaurd. Check any extra registry keys are added under deviceguard
To get rid of the "This setting is managed by you administrator" message, I have had to do a clean re-install of Windows 11 Pro. I then ran Windows Update. This is the current state of my PC:
The registry contains the following entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
(Default) REG_SZ (value not set)
CachedDrtmAuthIndex REG_DWORD 0x00000000 (0)
RequireMicrosoftSignedBootChain REG_DWORD 0x00000001 (1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios
(Default) REG_SZ (value not set)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard
(Default) REG_SZ (value not set)
Enabled REG_DWORD 0x00000000 (0)
(There are no other entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard.)
System Information displays the following:
OS Name Microsoft Windows 11 Pro
Processor: 11th Gen Intel(R) Core(TM) i9-11900K @ 3.50GHz, 3504 Mhz, 8 Core(s), 16 Logical Processor(s)
BIOS Mode: UEFI
Kernel DMA Protection: On
Virtualization-based security: Running
Virtualization-based security Required Security Properties:
Virtualization-based security Available Security Properties: Base Virtualization Support, Secure Boot,
DMA Protection, Secure Memory Overwrite, UEFI Code Readonly, SMM Security Mitigations 1.0,
Mode Based Execution Control, APIC Virtualization
Virtualization-based security Services Configured:
Virtualization-based security Services Running; Credential Guard, Hypervisor enforced Code Integrity
Windows Defender Application Control policy: Enforced
Windows Defender Application Control user mode policy: Off
Device Encryption Support: Reasons for failed automatic device encryption: Hardware Security Test
Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device(s)
detected, WinRE is not configured
A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Settings > Privacy & security > Windows Security > Device Security shows:
Security Processor: Your security processor, called the trusted platform module (TPM)
is providing additional encryption for your device.
Secure boot: Secure Boot is on, preventing malicious software from loading when your
device starts up.
Your device meets the requirements for enhanced hardware security.
Core Isolation (in detail):
Memory integrity: On
Memory access protection
Protects your devices's memory from malicious external devices.
Microsoft Defender Credential Guard
Credential Guard is protecting your account login from attacks.
<< Firmware protection NOT SHOWN>>
In Windows Features shows:
Hyper V: unchecked
Hyper V Management Tools: unchecked
Hyper-V Platform: unchecked
In Local Group Policy Editor > Administrative Templates > System > Device Guard shows:
Turn on Virtualization Based Security: Not Configured
Select Platform Security Level: blank
Virtualization Base Protection of Code Integrety: blank:
Require UEFI Memory Attributes Table: unchecked
Credential Guard Configuration: blank
Secure Launch Configuration: blank
What should I do to turn on Firmware protection?
Many thanks - Paul
To get rid of the "This setting is managed by you administrator" message, I have had to do a clean re-install of Windows 11 Pro. I then ran Windows Update. This is the current state of my PC: The registry contains the following entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard (Default) REG_SZ (value not set) CachedDrtmAuthIndex REG_DWORD 0x00000000 (0) RequireMicrosoftSignedBootChain REG_DWORD 0x00000001 (1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios (Default) REG_SZ (value not set)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard (Default) REG_SZ (value not set) Enabled REG_DWORD 0x00000000 (0)
(There are no other entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard.)
System Information displays the following:
OS Name Microsoft Windows 11 Pro
Processor: 11th Gen Intel(R) Core(TM) i9-11900K @ 3.50GHz, 3504 Mhz, 8 Core(s), 16 Logical Processor(s)
BIOS Mode: UEFI
Kernel DMA Protection: On
Virtualization-based security: Running
Virtualization-based security Required Security Properties:
Settings > Privacy & security > Windows Security > Device Security shows:
Security Processor: Your security processor, called the trusted platform module (TPM) is providing additional encryption for your device.
Secure boot: Secure Boot is on, preventing malicious software from loading when your device starts up.
Your device meets the requirements for enhanced hardware security.
Core Isolation (in detail):
Memory integrity: On
Memory access protection Protects your devices's memory from malicious external devices.
Microsoft Defender Credential Guard Credential Guard is protecting your account login from attacks.
<< Firmware protection NOT SHOWN>>
In Windows Features shows:
Hyper V: unchecked Hyper V Management Tools: unchecked Hyper-V Platform: unchecked
In Local Group Policy Editor > Administrative Templates > System > Device Guard shows:
Turn on Virtualization Based Security: Not Configured Select Platform Security Level: blank Virtualization Base Protection of Code Integrety: blank: Require UEFI Memory Attributes Table: unchecked Credential Guard Configuration: blank Secure Launch Configuration: blank
What should I do to turn on Firmware protection? Many thanks - Paul
On Saturday, July 2, 2022 at 12:11:13 AM EDT, VARADHARAJAN K ***@***.***> wrote:
@paulsmason Check whether group policy is applied on Devicegaurd. Check any extra registry keys are added under deviceguard
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>
@paulsmason, Eligibility Windows OS is Windows 10 Enterprise or Education editions only. Windows 11 Enterprise or Education editions only
But you may try on windows 11 pro by adding registry key using command prompt
fix 1 reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard /v Enabled /t REG_DWORD /d 1
fix 2
reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard /v Enabled /t REG_DWORD /d 1
reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard /v Managed /t REG_DWORD /d 1
Note:: i have windows 11 nterprise without eligible intel v pro processor , so firmware protection shows on apge , but it does not turned on
Sorry it's taken me so long to get back to you. Does this mean that Secure Launch / Firmware protection is available ONLY on Enterprise and Education editions? If so, how do you know that? Is it in the Microsoft on-line documentation? I can't find it anywhere. Many, many thanks - Paul Mason
On Tuesday, October 11, 2022 at 07:57:30 AM EDT, VARADHARAJAN K ***@***.***> wrote:
@paulsmason, Eligibility Windows OS is Windows 10 Enterprise or Education editions only. Windows 11 Enterprise or Education editions only
But you may try on windows 11 pro by adding registry key using command prompt
fix 1 reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard /v Enabled /t REG_DWORD /d 1
fix 2
reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard /v Enabled /t REG_DWORD /d 1
reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard /v Managed /t REG_DWORD /d 1
Note:: i have windows 11 nterprise without eligible intel v pro processor , so firmware protection shows on apge , but it does not turned on
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>